An older, probably more secure Sony network of interconnected devices. Credit: Esa Sorjonen/Wikimedia
The rumored "third attack" on Sony servers being planned for this past weekend did occur — but as a soccer announcer might have put it, it was an "own goal."
According to The Hacker News, a blog based in India, someone in Japan discovered Thursday (May 5) that Sony had put a Microsoft Excel spreadsheet on the Internet — unprotected and naked to the world — containing the names and hometowns of 2,500 people.
All anyone needed to access it was a Google search string: "site:products.sel.sony.com filetype:xls".
The qualifiers "site" and "filetype" narrowed the search to Excel files on the Web address "products.sel.sony.com", which would return a file called "sweepstake.xls."
The unnamed Japanese finder sent the link to The Hacker News, which posted a partial screenshot of the Excel file online.
The file seemed to show first names, last names, hometowns and ZIP codes of Americans whom Sony later said were entrants in a 2001 sweepstakes. But no street addresses or email addresses were included.
On Saturday (May 7), Sony announced that someone had "stolen" the data, and took the Excel file offline.
"The website was out of date and inactive when discovered as part of the continued attacks on Sony," a company spokesman told Reuters.
There actually isn't much of an increased security risk to the people named in the Excel file. There's less information in it than you’d find in a telephone book.
But it's still a slap in the face for Sony, which continues to insist that its security is, and has always been, rock-solid. (Skeptics may note that until last week Sony had left 23,000 unencrypted credit and debit card and bank account numbers on an "outdated database.")
Networks not coming back online soon
Meanwhile, a Sony spokesman told Bloomberg News yesterday (May 8) that the PlayStation Network and Sony Online Entertainment game networks, along with the Qriocity entertainment distribution service, will not be coming back online this week, as a message from CEO Howard Stringer on Thursday had indicated.
Sony's "plan to restart the services fully by May 31 is unchanged," the story noted.
The PlayStation Network and Qriocity were taken offline on April 20, after an intrusion was detected that affected about 78 million user accounts. On May 1, it was discovered that Sony Online Entertainment had also been breached, affecting a further 24 million accounts.
And Arik Hesselblad at the Wall Street Journal's tech blog AllThingsD posted an interesting development on Friday (May 6). He said had heard that Sony was mulling putting a bounty on the heads of the hackers responsible for the network intrusions, which the Journal in another article estimated might cost Sony $1 billion.
The online activist group Anonymous, which Sony suspects of carrying out the intrusion and stealing the data, on Saturday posted yet another press release denying involvement.
It alleged that Sony may have been violating the Payment Card Industry (PCI) Data Security Standards, which mandate the use of network firewalls to protect customer credit and debit card information.
Security expert Eugene Spafford testified before a congressional subcommittee last Wednesday (May 4) that he had heard that Sony's network servers ran outdated, unpatched software, without firewalls.
The Anonymous statement also said that while it will stay on the sidelines regarding Sony, "other Internet hacker groups will apparently proceed with attacks over Sony's mishandling of the matter."